| From 150946345d92e1aab54668aef378b8ec99057d26 Mon Sep 17 00:00:00 2001 |
| From: Eyal Birger <eyal.birger@gmail.com> |
| Date: Tue, 14 Jan 2020 10:03:50 +0200 |
| Subject: [PATCH] netfilter: nat: fix ICMP header corruption on ICMP errors |
| |
| commit 61177e911dad660df86a4553eb01c95ece2f6a82 upstream. |
| |
| Commit 8303b7e8f018 ("netfilter: nat: fix spurious connection timeouts") |
| made nf_nat_icmp_reply_translation() use icmp_manip_pkt() as the l4 |
| manipulation function for the outer packet on ICMP errors. |
| |
| However, icmp_manip_pkt() assumes the packet has an 'id' field which |
| is not correct for all types of ICMP messages. |
| |
| This is not correct for ICMP error packets, and leads to bogus bytes |
| being written the ICMP header, which can be wrongfully regarded as |
| 'length' bytes by RFC 4884 compliant receivers. |
| |
| Fix by assigning the 'id' field only for ICMP messages that have this |
| semantic. |
| |
| Reported-by: Shmulik Ladkani <shmulik.ladkani@gmail.com> |
| Fixes: 8303b7e8f018 ("netfilter: nat: fix spurious connection timeouts") |
| Signed-off-by: Eyal Birger <eyal.birger@gmail.com> |
| Acked-by: Florian Westphal <fw@strlen.de> |
| Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> |
| Signed-off-by: Paul Gortmaker <paul.gortmaker@windriver.com> |
| |
| diff --git a/net/netfilter/nf_nat_proto.c b/net/netfilter/nf_nat_proto.c |
| index 83a24cc5753b..3974383791a6 100644 |
| --- a/net/netfilter/nf_nat_proto.c |
| +++ b/net/netfilter/nf_nat_proto.c |
| @@ -233,6 +233,19 @@ icmp_manip_pkt(struct sk_buff *skb, |
| return false; |
| |
| hdr = (struct icmphdr *)(skb->data + hdroff); |
| + switch (hdr->type) { |
| + case ICMP_ECHO: |
| + case ICMP_ECHOREPLY: |
| + case ICMP_TIMESTAMP: |
| + case ICMP_TIMESTAMPREPLY: |
| + case ICMP_INFO_REQUEST: |
| + case ICMP_INFO_REPLY: |
| + case ICMP_ADDRESS: |
| + case ICMP_ADDRESSREPLY: |
| + break; |
| + default: |
| + return true; |
| + } |
| inet_proto_csum_replace2(&hdr->checksum, skb, |
| hdr->un.echo.id, tuple->src.u.icmp.id, false); |
| hdr->un.echo.id = tuple->src.u.icmp.id; |
| -- |
| 2.7.4 |
| |